How to stop Memcached DDoS attacks

The Memcached vulnerability has been used in record-breaking DDoS attacks. Various proof-of-concept scripts have been released to exploit the vulnerability.

Hackers have recently been exploiting a vulnerability in the Memcached protocol that gives them the ability to create record-breaking amplification attacks, a type of distributed denial-of-service (DDoS). These attacks are trivial to implement, said an information security training researcher, as a botnet of computers is not needed in order to generate amounts of traffic necessary to paralyze a given system or network.

Researchers claim to have discovered a way of mitigating the vulnerability in Memcached servers.An information security researcher team said it has disclosed the new “kill switch” to the authorities in a bid to lock down the flaw worldwide and prevent more damaging attacks.

The Memcached open source memory caching system is found on over 95,000 servers worldwide, where it caches frequently used web pages to boost access times and performance.

“It was never meant to be internet accessible, so is not protected by any authentication mechanism·, information security training specialist said. This means hackers can generate spoof requests to amplify DDoS attacks by up to 50,000 times.

The same vulnerability can also be exploited “via a simple debug command” to steal any data cached on a targeted server, including confidential database records, website customer information, emails, API data, Hadoop information and more.

Hackers could also maliciously modify the data and reinsert it into the cache without the owner’s knowledge.

The newly discovered “flush_all” counter-measure sends a command to an attacking server to suppress current DDoS exploitation, and invalidates the cache including any potential malicious payload, an information security training consultant said. It has apparently been tested on live attacking servers and found to be 100% effective with no collateral damage caused.

“Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices,” said the information security expert and Corero Network Security CEO, Ashley Stephenson.

“In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.”